Oracle Entitlements Server 11g and 11gR2 integration

This section describes how to configure API Gateway to authorize an authenticated user against Oracle Entitlements Server (OES) 11g and 11gR2. This will be demonstrated by the following:

API Gateway will authenticate a user against its local user repository

API Gateway will then delegate the authorization decision for the specified resource to OES

The OES 11g Authorization filter is used to delegate the authorization decision to OES. This filter assumes that an authentication filter has been configured prior to it. Therefore, by the time the authorization filter executes, the authentication.subject.id message attribute is populated and its value is used as the subject in the authorization request to OES.

The following diagram shows the sequence of events that occurs when a client sends a message to API Gateway. The request sender is authenticated by API Gateway and is then authorized against Oracle Entitlements Server. If the user is permitted to access the requested resource, the request is routed to the Enterprise Application. Otherwise an appropriate fault message is returned to the client.

Prerequisites

API Gateway

You must have installed API Gateway version 7.5.3 or higher and have received a valid license from Axway.

This integration is also valid for the API Gateway Appliance (physical or virtual) version 7.5.3 or higher.

OES user

You must create an OES user called weblogic. Refer to the OES documentation for instructions on how to add a user.

API Gateway local user store

You must have added the weblogic user to the API Gateway local user store. The policy you will set up later requires an authenticated user's request to be authorized against OES. By adding the weblogic user to the local user store, the client can authenticate as this user. The user name will then be stored in the authentication.subject.id message attribute, which is then passed to the OES 11g Authorization filter and subsequently on to OES to make the authorization decision.

OES client

You must have installed the OES client (security module) on the machine running API Gateway. The OES client has its own installer, which is available from www.oracle.com.

Note

In the following integration steps, this version of the OES client was used: Oracle Entitlements Server Security Module 11g - 11.1.2.0.0.

The OES client installer requires that a JRE is available on the target machine. In the absence of a preferred JVM on the target machine, API Gateway ships with a JRE that can be used. On UNIX, the JRE is located in INSTALL_DIR/apigateway/platform/jre.

Start the OES client installer from the command line and pass the JRE location using the jreLoc argument as follows:

UNIX/Linux

./runInstaller –jreLoc INSTALL_DIR/apigateway/platform/jre

OES 11g or 11gR2

You must have installed, configured, and started OES 11g or 11gR2. For example, you can start it using the following commands on a UNIX-based system: